域间路由策略的协同管理问题

互联网由多个自治域互联组成,自治域之间按照各自的域间路由策略交换路由信息和转发流量。由于管理自治域的ISP各自为政,独立配置和管理自己的路由策略,缺少协同机制,容易引起路由震荡、热土豆路由、异常路由等问题。本文提倡采用协同的方式管理域间路由策略,通过列举一些典型的域间路由策略问题,提出一套域间路由策略的多方协同控制与管理体系,并重点讨论了协同管理的基础性问题--安全比较协议。该协议可以被应用在互联网域间路由策略的管理中,对于分布式故障检测、分布式网络性能能测量等相关应用,也具有较好的参考价值。     

Inter-domain policy violations in multi-hop overlay routes: Analysis and mitigation

The Internet is a complex structure arising from the interconnection of numerous autonomous systems (AS), each exercising its own administrative policies to reflect the commercial agreements behind the interconnection. However, routing in service overlay networks is quite capable of violating these policies to its advantage. To prevent these violations, we see an impending drive in the current Internet to detect and filter overlay traffic. In this paper, we first present results from a case study overlay network, constructed on top of PlanetLab, that helps us gain insights into the frequency and characteristics of the different inter-domain policy violations. Further, we investigate the impact of two types of overlay traffic filtering that aim to prevent these routing policy violations: blind filtering and policy-aware filtering. We show that such filtering can be detrimental to the performance of overlay routing. We next consider two approaches that allow the overlay network to realize the full advantage of overlay routing in this context. In the first approach, overlay nodes are added so that good overlay paths do not represent inter-domain policy violations. In the second approach, the overlay acquires permits from certain ASes that allow certain policy violations to occur. We develop a single cost-sharing framework that allows the incorporation of both approaches into a single strategy. We formulate and solve an optimization problem that aims to determine how the overlay network should allocate a given budget between paying for additional overlay nodes and paying for permits (transit and exit) to ASes. We illustrate the use of this approach on our case study overlay network and evaluate its performance under varying network characteristics.     

边界网关协议BGP4路由收敛问题研究进展

边界网关协议BGP4是目前Internet最主要的域问路由协议，其路由正确性和稳定性直接关系到Internet能否正常运行．作为一个域问路由协议，BGP协议必须支持策略路由，允许各个自治系统独立的制定他们的路由策略，而且允许这些策略优先于路径尺度．由于各个自治系统制定策略的角度不同，这些路由策略之间可能存在冲突，从而导致BGP协议发散及路由振荡．此外，BGP协议本身也存在一些内在机制的不完善，并可能导致在某些情况下路由不收敛或收敛速度缓慢．随着网络规模越来越大，拓扑越来越复杂，BGP路由收敛问题日趋严重，目前国内外对此展开了大量的研究，并提出了多种分析模型和解决方案．本文首先全面总结了BGP协议面临的主要的收敛问题，主要包括策略冲突和协议机制造成的不收敛问题和收敛缓慢问题，然后全面介绍了针对这些问题的现有的解决方案，分析比较了这些方案的优点和缺点，最后提出了进一步的研究设想．     

A network accountability based verification mechanism for detecting inter-domain routing path inconsistency

Border Gateway Protocol (BGP) has no mechanism to guarantee the consistency between actual routing path and announced routing path in the inter-domain routing. Due to incentives of gaining more economic benefits, malicious Autonomous Systems (AS) could announce inconsistent path and misroute data packets. In this case, routing policies are meaningless, rational ASes are cheated and stability of Internet is destroyed seriously. Existing methods are devoted to securing announce routing path only or discovering path inconsistency with lots of overhead. Based on network accountability, a routing path verification mechanism is proposed to detect path inconsistency. The mechanism enables ASes in the path to generate routing evidence. Routing evidence is produced by analyzing packets in a time slot and is encrypted with the key of AS. With routing evidence, source AS checks every subpath connecting adjacent ASes until it confirms the existence of path inconsistency. The factors that influence the mechanism and the deployment in the real network are also discussed. The experiment results show that it has a good performance from aspects of effectiveness, overhead and scalability.     

MANET与Internet互连网关自适应协同策略设计

为了提高MANET与Internet互连环境的服务质量, 在采用AODV路由协议的MANET互连网关中应用了自适应策略。在分析自适应算法对网络性能参数改进的基础上, 提出了针对网关公告TTL和网关公告间隔的改进自适应协同策略, 并在AODV路由协议中进行实现。通过NS2平台对设计的自适应协同策略互连网关的性能进行仿真验证。结果表明, 采用多自适应协同策略的网关可以提供高效的接入服务, 并能够有效改善互连环境的服务质量。     

基于本体的多智能体Internet动态路由研究

在Internet路由方面,传统采用的点对点或广播方式不能满足网络信息传输的效率要求,而采用组播方式缓解这个问题的相关研究大多为静态方法,不能很好地解决Internet提出的动态问题。为了实现高效率、自适应的Internet动态路由策略,在多Agent技术和本体论知识基础上,提出基于本体建立开放式多智能体Internet动态路由结构框架的思想。建立了基于多Agent的体系架构,并使用主体开发工具Protégé描述Internet主动路由的概念主体和任务主体模型,以支持Agent之间的知识共享和通信。根据该体系架构建立基于多Agent的Internet路由控制与分析系统（Multi-Agent Internet Routing System,MAIRS）。通过与相同实验环境下NS2的仿真结果进行比较,表明这个结合多Agent技术和本体方法的体系结构能够满足Internet路由的动态性和互操作性的需求。     

Information Classification

Abstract

This article devotes four sections to addressing specific information classification topics and what policies for those topics might look like. Included in the text will be a formal discussion on each of the topics and examples of existing policy statements. The author will analyze these policies and establish the framework for the development of such policies for any organization. The first topic to be discussed will be information classification. From there the author will examine the need for an e-mail policy and then an Internet policy along with the supporting awareness program needed for Internet compliance. Finally, the author will establish a basic list of corporate level policies that every organization should have along with the sight modification required to support an information security program.     

Trust Management and Admission Control for Host-Based Collaborative Intrusion Detection

The accuracy of detecting an intrusion within a network of intrusion detection systems (IDSes) depends on the efficiency of collaboration between member IDSes. The security itself within this network is an additional concern that needs to be addressed. In this paper, we present a trust-based framework for secure and effective collaboration within an intrusion detection network (IDN). In particular, we design a trust model that allows each IDS to evaluate the trustworthiness of other IDSes based on its personal experience. We also propose an admission control algorithm for the IDS to manage the acquaintances it approaches for advice about intrusions. We discuss the effectiveness of our approach in protecting the IDN against common attacks. Additionally, experimental results demonstrate that our system yields significant improvement in detecting intrusions. The trust model further improves the robustness of the collaborative system against malicious attacks. The experimental results also support that our admission control algorithm is effective and fair, and creates incentives for collaboration.     

Compact policy routing

The main concern in this paper is to generalize compact routing to arbitrary routing policies that favor a broader set of path attributes beyond path length. Using the formalism of routing algebras we identify the algebraic requirements for a routing policy to be realizable with sublinear size routing tables, and we show that a wealth of practical policies can be classified by our results. By generalizing the notion of stretch, we also discover the algebraic validity of compact routing schemes considered so far and we show that there are routing policies for which one cannot expect sublinear scaling even if permitting arbitrary constant stretch. Finally, we apply our methodology to the routing policies used in Internet inter-domain routing, and we show that our algebraic approach readily generalizes to this setting as well.     

校园网多出口环境下的路由策略研究与应用——以青岛职业技术学院为例

分析了目前高校多出口网络环境下存在的诸多问题,提出了适合青岛职业技术学院现状的解决方案,即利用DNS view功能实现按源请求地址返回服务器不同IP地址,并配合防火墙路由策略较好地解决了校外用户快速访问校内资源,以及校内用户快速访问互联网的问题。     

基于区块链的域间路由策略符合性验证方法

域间路由系统自治域(ASes)间具有不同的商业关系和路由策略.违反自治域间出站策略协定的路由传播可能引发路由泄露,进而导致网络中断、流量窃听、链路过载等严重后果.路由策略符合性验证对于保证域间路由系统安全性和稳定性至关重要.但自治域对本地路由策略自主配置与隐私保护的双重需求增加了验证路由策略符合性的难度,使其一直是域间路由安全领域尚未妥善解决的难点问题.提出一种基于区块链的域间路由策略符合性验证方法.该方法以区块链和密码学技术作为信任背书,使自治域能够以安全和隐私的方式发布、交互、验证和执行路由策略期望,通过生成对应路由更新的路由证明,保证路由传播过程的真实性,从而以多方协同的方式完成路由策略符合性验证.通过实现原型系统并基于真实路由数据开展实验与分析,结果表明该方法可以在不泄露自治域商业关系和本地路由策略的前提下针对路由传播出站策略符合性进行可追溯的验证,以合理的开销有效抑制策略违规路由传播,在局部部署情况下也具有显著的策略违规路由抑制能力.     

BGP路由策略对路由稳定性的影响分析

在Internet中,域间的路由是由域间路由协议控制的。边界网关协议（BGP）是广泛使用的用于在各个自治系统之间交换网络可达信息的域间路由协议。BGP允许每个自治系统实施各种本地路由策略。用以进行路由的选择和传播。然而,不同的自治系统所制定的本地路由策略可能存在潜在的冲突,从而导致路由的振荡。该文给出了一个BGP的抽象模型,并通过实例分析BGP路由策略对路由稳定性的影响。     

基于遗传算法的多约束QoS多播路由优化算法

随着大量新型的多媒体在高性能网络、移动网络及Internet中的应用，满足QoS约束的多播路由问题成为越来越重要，它吸引了许多爱好者．本文讨论了多约束QoS多播路由问题，主要包含延迟、延迟抖动、带宽和分组丢失率等QoS约束，文中描述了一种在动态网络环境及不确定参数下适应于研究QoS多播路由的网络模型．提出了一种在网络规模、可行性方面为Imernet、移动网络和高性能网络下基于遗传算法的多约束QoS多播路由优化算法（MQMRGA）．仿真结果表明该算法收敛速度快、可靠性高．MQMRGA为QoS多播路由提供了一种新的有效途径．     

Model-based diagnosis techniques for Internet delay diagnosis with dynamic routing

In this paper we propose a model-based approach to diagnose latencies in computer networks. We formalize this problem as a model-based diagnosis (MBD) problem and propose a range of methods to solve it. Three solution approaches are proposed: a conflict-directed approach, a constraint satisfaction approach and a linear programming approach. We discuss the pros and cons of these approaches and describe which approaches are suited to handle which network routing policies. In particular we handle this work networks with static routing policies, where there exists a static route between every pair of end-users, as well as two common types of dynamic routing policies, where information between a pair of end users may pass via more than a single route. The performance of the proposed approaches is demonstrated experimentally on two domains: the standard NS2 network simulator and on parts of the Internet topology obtained from the Route Views project. Both able to find diagnoses fast for network models with 1,000 nodes.     

战术互联网网络一体化关键技术研究

根据战术互联网的一体化需求,对战术互联网路由协议体系,服务质鼍（QoS）控制和QoS路由问题展开研究。针对战术互联网的分布式体系结构,提出了基于链路反转的区域路由协议;根据服务质晕控制中业务需求和网络资源同时动态变化的特点,引入自适应控制模型,设计了自适应QoS控制的基本模型和实现框架;通过分析QoS路由面临的主要问题,结合链路反转和遗传算法的基本思想,提出了分布式遗传算法QoS路由协议。     

基于信任评估的安全路由方案设计

分析基于贝叶斯方法的信任评估过程,针对其不能较好反映信任评估的一些重要属性的缺陷,对其信任更新过程进行改进与优化,增强贝叶斯信任评估方法的健壮性和有效性。提出基于贝叶斯方法的信任评估模型和安全路由框架,并实现一种基于AODV的安全可信路由方案TBAODV。仿真实验验证了该方案的有效性。     

具备网络编码感知的能耗友好WSN路由策略

为均衡及降低无线传感器网络(WSN)的路由能耗并最终延长网络的寿命,提出一种具备网络编码感知且能耗敏感的WSN路由策略。该策略通过对WSN环境中存在的网络寿命限制、数据流限制、广播流量限制3个重要因素的分析,对能耗最优路由进行建模,最后归结为对最优化问题的求解获得最佳路径。仿真实验表明该路由策略能够较好地均衡节点的能耗,从整体上显著延长WSN的生存期。     

Agent system for inter-AS routing error diagnosis

The basic unit of Internet routing is called an autonomous system, or AS, defined as a set of routers under a single technical administration. The Internet currently comprises more than 12,000 AS's. Some are university or corporate networks; others are ISP networks. Inside an AS, a single authority controls the deployment of policies and protocols by which routers compute intra-AS paths, including paths to gateway or border routers. For inter-AS routing, the situation is more complicated. Most AS's manage the exchange of routing information through the Internet Engineering Task Force's border gateway protocol. BGP lets an AS advertise "reachability" information throughout the Internet by sending update information when network topology or routing policies change. BGP is a hop-by-hop protocol, which sends the information only to a gateway router's immediate neighbors. At NTT Network Innovation Laboratories, we have developed and are currently testing a multiagent-based system called Encore to automatically diagnose inter-AS routing problems. We briefly describe the problem addressed by the system, its design and current implementation, and recent test results     

Trust-based exchange of services to motivate cooperation in P2P networks

In this paper we propose a trust-based exchange framework to motivate cooperation among peers of different consumption, contribution and service evaluation profiles. Our framework consists of distributed resource allocation and server selection policies based on local reputation vectors. We present how proposed policies outperform previous work and lead to the autonomic formation of coalitions between peers who mutually profit by exchanging their services. In this way the utilities of all peers progressively improve without pre-existing knowledge of one another’s service evaluation and capability profiles. Peers’ coalitions are dynamically reformatted, adapting to network changes, e.g., when new peers enter the system or peers vary their profiles. Only misbehaving (non contributive) peers cannot benefit by our framework, which efficiently blocks misbehavior.     

多层次域间路由安全监测系统的设计与实现

基于边界网关协议(BGP)的域间路由系统已经成为Internet的核心路由设施,但由于BGP本身缺乏安全机制,很容易受到各种人为配置错误或者恶意攻击的影响。我们开发的域间路由监测系统可以从4个层次实现对域间路由的安全监测,分别是Internet、国家网络、特定ISP和特定路由。本文详细介绍了多层次域间路由安全监测系统的组成结构、软件结构、设计思想、实现技术和测试结果。